Medical records and HIPAA go hand-in-hand, and the rapid progress of technological advancement has only brought the two closer together. The rise of electronic health records (EHR) has sped up the transmission of health data like never before — but innovation doesn’t come without precautions.
In days past, medical records were a completely paper operation — a system that had obvious shortcomings and problems. Over time, however, a shift towards EHRs opened new doors for operational efficiencies and unparalleled collaboration for providers. With these new doors came security issues — which swiftly prompted a laundry list of privacy and security rules headed by the US Department of Health and Human Services.
A Brief History of HIPAA
The Health Insurance Portability and Accountability Act began in 1996 when it was officially signed into law. It was initially enacted for reasons in its name — to improve portability and accountability of health insurance coverage processes for employees that may be between jobs. However, that isn’t its sole purpose. It also aimed at combatting against fraud, waste, and abuse in the delivery of healthcare and health insurance. There are other additional objectives, but for now, we’ll dive into how HIPAA evolved into what it has become today.
In the early 2000s, the US Department of Health and Human Services embarked on creating the very first HIPAA Privacy and Security Rules.
The Privacy Rule refers to information held by a covered entity concerning health status, healthcare provisions, or payment for healthcare linked to an individual. These rulings outlined how protected health information (PHI) should be handled and disclosed in regards to permissions from the patient before their information is used for any research, fundraising, or marketing. In addition, this ruling allows patients to withhold information regarding their healthcare from health insurance providers if the treatment is privately funded.
The Security Rule came just a few years after the original legislation — and refers to electronically-stored protected health information, also known as ePHI. This rule outlines security measures for administrative, physical, and technical facets of electronic medical records in order to remain compliant with HIPAA guidelines.
So, you’re probably wondering what exactly goes into staying compliant with these guidelines. Well, let’s explore a HIPAA compliance checklist.
HIPAA Compliance Checklist
To help remain compliant — a HIPAA Compliance Checklist gives insight into the various requirements covered entities need to adhere to in order to avoid potential breaches and penalties. This list can help ensure that covered entities are compliant with the HIPAA security rule — and cover each in detail.
- Technical safeguards refer to the technology used to store or transmit protected health information in order to keep them safe. This may include specific encryption standards. Technical safeguards by HIPAA are specific — so be sure to look carefully.
- Physical safeguards refer to how people may have physical access to protected health information. Whether it be servers, cloud data, or remote data centers, HIPAA outlines how health information can be accessed, stored, or transferred.
- Administrative safeguards refer to risk management, risk assessments, contingency planning, training, and a long list of administrative tasks that keep information confidential and protected.
There’s also a long list of HIPAA Rules that govern how HIPAA compliance operates.
- HIPAA Privacy Rule
- HIPAA Security Rule
- HIPAA Breach Notification Rule
- HIPAA Omnibus Rule
- HIPAA Enforcement Rule
One of the most significant issues that can arise with HIPAA compliance is a breach — so, let’s discover what can happen as a result.
What Happens When There’s a Breach in Medical Records
One of the most frightening possibilities when it comes to ePHI is a breach — which can cause massive issues for covered entities and effected victims.
Anytime information is accessed without authorization, it’s considered a data breach. One of the most common types of breaches is hacking, which has become increasingly prevalent as years progress. Personal information and data are extremely profitable, and hackers understand the power of this data. Breaches can occur in a wide range of ways, anything from phishing to malware — all the way to complete data theft can leave covered entities scrambling.
The consequences of a medical breach are unprecedented — averaging a $6.5 M price tag within the healthcare industry. There have been some massive breaches over the years, which have hit insurance companies hard.
The penalties for a medical record breach come in four tiers, each reflective of the severity of the breach and the response of the covered entity. If a company has done its due diligence with the HIPAA compliance checklist, the response penalties will be minimal — however, negligence can be costly.
What is HITECH’s Role in Medical Record Retrieval?
Before we dive into how HITECH may impact HIPAA or medical record retrieval in general, we should explore what it is.
HITECH, also known as the Health Information Technolgy for Economic and Clinical Health Act, was enacted to promote the implementation of EHRs along with additional technologies throughout the country. This act is in place to compel healthcare authorities to use electronic records instead of the outdated paper system, with incentives to help push the process forward.
An effect of this was that third-party suppliers and business associates are responsible for compliance under the Breach Notification Rule — which outlines that any breaches affecting more than 500 people must be reported to the Department of Health and Human Services for Civil Rights.
Breach notification includes notifying any victims, along with providing actionable steps to resolve the breach. Sometimes, an entity may pay for the breached party to have access to credit reports.
A partial side effect of HITECH was that business associates like law firms or other third party companies that may require access to protected health information must show that they are meeting regulatory guidelines. This joins the responsibilities of business associates and providers in how they protect confidential health and personal information when sharing.
Who Needs to Worry About Medical Records?
While providers are obviously responsible for HIPAA compliance, covered entities like insurance companies or business associates like law firms should also be aware of guidelines.
Medical record retrieval is a substantial part of many legal cases and insurance claims, which means that protected health information is in transit or stored — which means HIPAA compliance is essential.
While many businesses choose to handle medical record retrieval in-house, there are outsourcing options to ensure the fastest possible process with optimal safeguards. Outsourced medical record retrieval for law firms can help improve efficiencies and speed — taking the burden and time-consuming process off paralegal’s plates.
Likewise, many successful insurance companies choose to outsource their medical record retrieval efforts to save on hiring an in-house team. Medical record retrieval for insurance companies is both cost-effective and reliable when it comes to improving overall processes in managing legal liabilities and handling claims.